version: '3.8'

networks:
  traefik-public:
    external: true
  productivity-backend:
    driver: bridge

volumes:
  nextcloud_data:
  nextcloud_db:
  nextcloud_redis:

services:
  nextcloud-db:
    image: postgres:15-alpine
    container_name: nextcloud-db
    restart: unless-stopped
    volumes:
      - nextcloud_db:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} # Set in .env
    networks:
      - productivity-backend

  nextcloud-redis:
    image: redis:7-alpine
    container_name: nextcloud-redis
    restart: unless-stopped
    volumes:
      - nextcloud_redis:/data
    networks:
      - productivity-backend

  nextcloud:
    image: nextcloud:latest
    container_name: nextcloud
    restart: unless-stopped
    volumes:
      - nextcloud_data:/var/www/html
    environment:
      - POSTGRES_HOST=nextcloud-db
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - REDIS_HOST=nextcloud-redis
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.sterl.xyz
      - OVERWRITEPROTOCOL=https
      - OVERWRITEHOST=nextcloud.sterl.xyz
      - TRUSTED_PROXIES=172.16.0.0/12
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    networks:
      - traefik-public
      - productivity-backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.sterl.xyz`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=cfresolver"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      # Nextcloud-specific middlewares
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-chain"
      - "traefik.http.middlewares.nextcloud-chain.chain.middlewares=nextcloud-caldav,nextcloud-headers"
      # CalDAV/CardDAV redirect
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$$1/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
      # Security headers
      - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN"
      - "traefik.http.middlewares.nextcloud-headers.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow"
      - "docktail.enable=true"
      - "docktail.name=nextcloud"
      - "docktail.container_port=80"